I have to agree with Ben. If possible in your application, use variable scopes that do not have to be sent to the client (session and client variables work very nicely for this). Using URL and FORM vars, while being great tools, are sometimes risky and take time to write extra code to prevent exploitation.
EC -----Original Message----- From: BEN MORRIS [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 1:25 PM To: CF-Talk Subject: Re: Preventing URL Variables from being changed When they login, set session.UserID Whenever a record is accessed do a check to make sure that record.UserID = session.UserID, and if not then give them some "unauthorized" message or whatever. >>> David Douglas <[EMAIL PROTECTED]> 01/18/02 01:25PM >>> Hello, I setup a view query where it only displays records on the user's ID. I notice that if I change the ID name in the URL it will show the other records for that ID, I am sure there is a simple way to prevent this. Any help is greatly appreciated. Thanks Dave ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists